Çevikbaş Logo
Corporate
Corporate
Products
Products
Production
Production
Media
Media

PDP & Privacy Policy

Learn how your personal data is processed, collected, transferred by ÇEVİKBAAJ AMBALAJ, and your rights under the Law.

PERSONAL DATA STORAGE AND DISPOSAL POLICY

PURPOSE

This Personal Data Storage and Disposal Policy (the “Policy”) has been prepared by ÇEVİKBAŞ AMBALAJ SANAYİ ANONİM ŞİRKETİ (the “COMPANY”) to determine the procedures and principles regarding the storage, and subsequent deletion, destruction, or anonymization of personal data processed and stored by the COMPANY.


SCOPE

This Policy covers our activities regarding the storage and disposal of personal data obtained from the following persons:

  1. The Company’s employees, employee candidates, interns, former employees, and their family members,
  2. Our group company’s employees, employee candidates, former employees, interns, and their family members,
  3. Representatives, proxies, and shareholders of our Company and group companies,
  4. Employee, representative, and proxy of our business partners,
  5. Our customers and potential customers,
  6. Employees of public/private institutions and organizations,
  7. Legally authorized persons,
  8. Our visitors,
  9. Other third parties.

Explanations regarding these person group definitions are provided in ANNEX-1.

This Policy will cover all personal data obtained via electronic, physical, and other media and stored in electronic, physical, or similar media.


AUTHORITIES AND RESPONSIBILITIES

AuthorityResponsibility
Information Technology ManagerAs the Policy Implementation Manager, ensuring and managing compliance with the personal data storage period and the coordination of the periodic disposal process.
Information Technology SpecialistsAs the Policy Implementation Officer, executing the disposal of personal data in the electronic environment.
General ManagerAs the Policy Implementation Officer, executing the disposal of personal data in the physical environment and responsible for the execution of this Policy in accordance with their duties.


DEFINITIONS AND ABBREVIATIONS

Term/AbbreviationDefinition
Personal DataAny information relating to an identified or identifiable natural person.1
Special Categories of Personal Data2Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or ot3her beliefs, dress code, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Data SubjectThe natural person whose personal data is processed.
Processing of Personal DataAny operation performed upon personal data, such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, takeover, making available, classification, or the prevention of use, wholly or partly by automatic means or non-automatically provided that it is a part of any data recording system.
Explicit ConsentConsent relating to a specific matter, based on information, and disclosed with free will.
AnonymizationRendering personal data impossible to link with an identified or identifiable natural person, even by matching it with other data.
DeletionThe process of making personal data inaccessible and unusable by the relevant users in any way.
DestructionMaking all physical recording media suitable for data storage, where information is stored, unrestorable and unusable.
DisposalThe process of deleting, destroying, or anonymizing personal data.
Periodic DisposalDeletion, destruction, or anonymization process carried out ex officio at recurring intervals specified in the personal data storage and disposal policy when all of the conditions for processing personal data in the Law cease to exist.
Recording MediumAny environment where personal data is located, which is processed wholly or partly by automatic means or non-automatically provided that it is a part of any data recording system.
Data Recording SystemThe recording system in which personal data is structured according to certain criteria and processed.
KVKKLaw on the Protection of Personal Data, No. 6698, published in the Official Gazette dated April 7, 2016, and numbered 29677.
RegulationRegulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated October 28, 2017, and numbered 30224.
BoardPersonal Data Protection Board.
AuthorityPersonal Data Protection Authority.
PolicyPersonal Data Storage and Disposal Policy.
General PolicyPersonal Data Protection and Processing Policy.
Data ControllerThe person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept.
Data ProcessorA natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Personal Data Processing InventoryThe inventory created and detailed by data controllers by associating the personal data processing activities they carry out based on their business processes with the purposes of personal data processing, data category, recipient group transferred to, and the data subject group.
Data Controllers Registry (VERBİS)The data controllers registry to be established by the Presidency of the Personal Data Protection Authority in accordance with the Regulation on the Data Controllers Registry.
Electronic MediumEnvironments where personal data can be created, read, modified, and written using electronic devices.
Non-Electronic MediumAll written, printed, visual, etc. media other than electronic media.


REASONS AND PERIODS REQUIRING PERSONAL DATA STORAGE AND DISPOSAL

As the COMPANY, we store the personal data we process while providing our services for legal and reasonable periods in accordance with the KVKK, the Regulation, and related legislation, and we destroy them after these periods expire.


5.1 Legal Reasons Requiring Personal Data Storage

Personal data processed within the scope of the COMPANY's activities are kept for the period stipulated in the relevant legislation. In this context, personal data is stored for the retention periods foreseen within the framework of, but not limited to, the following:

  1. Law on the Protection of Personal Data No. 6698,
  2. Turkish Code of Obligations No. 6098,
  3. Social Insurance and General Health Insurance Law No. 5510,
  4. Law on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications No. 5651,
  5. Occupational Health and Safety Law No. 6331,
  6. Labor Law No. 4857,
  7. Turkish Commercial Code No. 6102,
  8. Tax Procedure Law No. 213,
  9. Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
  10. Regulation on the Procedures and Principles of Occupational Health and Safety Trainings,
  11. Regulation on Providers of Mass Internet Service Use,
  12. Regulation on Commercial Electronic Messages and Commercial Communication,
  13. Other secondary regulations in force under these laws.


The COMPANY stores personal data if there are reasons requiring the processing and storage of personal data in line with the processing conditions set forth in Articles 5 and 6 of the KVKK. The storage activities carried out by the COMPANY in line with the processing conditions are explained with examples below.


Processing ConditionsExplanations
Obtaining explicit consent from the data subjectPersonal data is stored if the data subject gives their explicit consent for the storage activity requiring explicit consent.
Expressly stipulated in the lawsPersonal data for which the storage and/or storage period is expressly stipulated in the laws is stored. For example, the COMPANY is obliged to store the personal health files of employees for at least 15 years from the date of leaving the job, pursuant to Article 7 of the Regulation on Occupational Health and Safety Services.
Establishment or performance of a contractThe COMPANY stores personal data necessary to fulfill its obligations in the contract throughout the contractual relationship. For example, employees' personal data is stored within the scope of the employment contract.
Fulfillment of the COMPANY's legal obligationThe COMPANY stores personal data to fulfill its legal obligation in accordance with the legal legislation. For example, personal data is stored to meet the demands of official and administrative authorities and to enable these authorities to carry out their audits.
Establishment, exercise, or protection of a rightThe COMPANY stores the relevant personal data in order to establish and protect its right in case of future disputes or conflicts.
Public disclosure by the data subjectThe COMPANY stores personal data disclosed by the person for as long as the disclosure continues, provided it has a legitimate interest.
Having a legitimate interest of the CompanyThe COMPANY stores personal data in order to carry out its commercial activities and relationships, provided that it does not harm the fundamental rights and freedoms of the data subject.


Processing Purposes Requiring Storage

The COMPANY stores the personal data it processes within the scope of its activities for the following purposes:

  1. Carrying out human resources processes.
  2. Carrying out commercial activities.
  3. Carrying out marketing activities.
  4. Ensuring corporate communication.
  5. Ensuring corporate security.
  6. Carrying out finance and accounting operations.
  7. Fulfilling business and transactions as a result of signed contracts and protocols.
  8. Within the scope of VERBİS, determining the preferences and needs of employees, data controllers, contact persons, data controller representatives, and data processors, arranging the services provided accordingly, and updating them when necessary.
  9. Ensuring the fulfillment of legal obligations as required or necessitated by legal regulations.
  10. Providing contact with natural/legal persons in a business relationship with the COMPANY.
  11. Keeping evidence in case of future legal disputes.
  12. Carrying out data security activities.


Reasons Requiring Personal Data Disposal

The COMPANY will be obliged to delete, destroy, or anonymize personal data in the following cases. The COMPANY may carry out this disposal activity in the first periodic disposal process following the end of these periods.

In the following situations, the data is deleted, destroyed, or anonymized upon the request of the data subject, or deleted, destroyed, or anonymized ex officio by the COMPANY.

  1. The COMPANY does not have a legitimate purpose for processing personal data.
  2. The relevant legislation provisions constituting the basis for processing are changed or abolished.
  3. The purpose requiring processing or storage ceases to exist.
  4. In cases where personal data processing is based solely on the explicit consent condition, the data subject withdraws their explicit consent.
  5. The data subject's application for the deletion and destruction of their personal data within the framework of their rights pursuant to Article 11 of the Law is accepted by the Authority.
  6. If the COMPANY rejects the data subject's application for the deletion, destruction, or anonymization of their personal data, finds the answer inadequate, or does not respond within the period stipulated in the KVKK; the data subject files a complaint with the Board, and this request is found appropriate by the Board.
  7. The maximum period required for the storage of personal data has expired, and there is no condition justifying the storage of personal data for a longer period.

Storage and Disposal Periods

Within the scope of the conditions determined in this Section, the Storage and Disposal Periods Table (Annex-2), which includes personal data storage and disposal periods, has been created. The COMPANY will store and destroy personal data in accordance with these storage and disposal periods.

The COMPANY has determined the periodic disposal period as 6 (six) months. In this context, the COMPANY evaluates the stored personal data every 6 months and destroys the personal data whose specified storage period has expired. Data whose storage period expires after the end of this period will be destroyed in the next first periodic disposal period.

For example, the COMPANY may keep the records of an employee candidate who applied for a job on November 12, 2019, for 1 year, which it determines as a reasonable period. Upon the expiration of this period on November 12, 2020, the COMPANY is obliged to destroy this information in the first periodic disposal process it carries out. In this context, if the last periodic disposal process was carried out on October 10, 2020, this information will be destroyed no later than six months later, on April 10, 2021.

PERSONAL DATA STORAGE MEDIUM

6.1 Non-Electronic Medium

Personal data may be stored in a non-electronic medium as paper, form, document, contract, or any printed asset. The media where printed assets are stored are specified below:

  1. Locked cabinets in COMPANY offices,
  2. Boards in COMPANY offices and warehouses,
  3. Archive room in COMPANY offices,
  4. Drawers and folders in COMPANY offices.

In this context, all personal data that we obtain from the electronic medium but then print out or write on paper, form, or document and store are also considered to be stored in the physical medium.

6.2 Electronic Medium

Personal data may be stored in the following electronic medium:

  1. Desktop and laptop computers,
  2. Mobile devices,
  3. E-mail servers,
  4. Message boxes of social media accounts,
  5. Software and connected Databases (Backup Software, Active Directory, SAP, Hybris, Jira, Eba, QDMS, Netsis, MII, ERP, SQL DB),
  6. System rooms,
  7. Portable media (USB Flash Drive, CD and DVD, etc.),
  8. Disk drives used for data storage on the network.

In this context, all personal data that we obtain in the physical medium, verbally or as printed paper, form, or document, but then record in a completely or partially automatic system, are also considered to be stored in the electronic medium.

MEASURES REGARDING PERSONAL DATA STORAGE

The COMPANY is obliged to ensure the secure storage of personal data, prevent unlawful processing, and prevent unlawful access to personal data. The administrative and technical measures taken by the COMPANY within the framework of this obligation are listed below:

Administrative Measures

  1. The contracts signed include data security provisions.
  2. Extra security measures are taken for personal data transferred via paper, and the relevant documents are sent in a classified document format.
  3. Necessary training and awareness studies are conducted for employees on ensuring the security of personal data, preventing unlawful disclosure, and sharing.
  4. Confidentiality undertakings are obtained from employees regarding the activities carried out by the COMPANY, and confidentiality agreements regarding specific activities are signed.
  5. A disciplinary procedure is applied against employees who do not comply with the internal procedures/policies/instructions regarding personal data security.
  6. Before starting personal data processing, the COMPANY fulfills the obligation to inform the data subjects.
  7. A personal data processing inventory is prepared.
  8. Corporate policies on access, information security, use, storage, and disposal are prepared and implemented.
  9. Personal data security policies and procedures are determined. Compliance with personal data security policies and procedures is monitored.
  10. Internal periodic and/or random audits are carried out and commissioned.
  11. The technical measures taken are reported periodically due to the internal audit mechanism.
  12. The use of personal data is minimized as much as possible in line with business purposes.
  13. Contracts regarding the processing, protection, and security of personal data are signed with the people with whom personal data is shared, or provisions regarding this are added to the existing contract.
  14. Personal data processing activities carried out within the COMPANY are analyzed specifically for business units, and business units are ensured to process personal data only for the purpose of carrying out their activities.
  15. A separate policy has been determined for the security of special categories of personal data.
  16. Employees involved in special categories of personal data processing processes have been provided with training on special categories of personal data security, confidentiality agreements have been made, and the authorities of users with access authorization to the data have been defined.

Technical Measures

  1. Risks, threats, vulnerabilities, and potential gaps in information systems are revealed through periodic penetration tests, and necessary measures are taken.
  2. Information technology risks are managed with effective risk assessment and response processes.
  3. All technical issues are examined by competent personnel appointed/employed by the COMPANY and/or third parties.
  4. The access authorizations of employees whose duties change or who leave the job are immediately revoked.
  5. Access procedures are created within the Company, and reporting and analysis studies regarding access to personal data are carried out.
  6. Access to storage areas containing personal data is recorded, and inappropriate access or access attempts are kept under control.
  7. Protocols considered secure are used on information systems.
  8. Authorization matrices are created for employees' access to physical and electronic systems.
  9. The security of the media containing personal data is ensured. Necessary security measures are taken regarding entry and exit to physical environments containing personal data. The security of these physical environments against external risks (fire, flood, etc.) is ensured.
  10. The physical security of the areas where the systems where personal data is processed are located has been ensured and protected against risks such as unauthorized access, fire, flood, earthquake, moisture, etc.
  11. Network security and application security are ensured. Networks are separated into virtual networks according to their usage purposes.
  12. A closed system network is used for personal data transfers via the network.
  13. Wireless networks are encrypted, and unauthorized access is not allowed.
  14. Security measures are taken within the scope of information technology system supply, development, and maintenance. System acquisitions are provided with a security perspective in system development processes.
  15. The security of personal data stored in the cloud is ensured.
  16. Log records are kept in a way that prevents user intervention.
  17. A secure protocol (HTTPS) is used when accessing the COMPANY's website.
  18. Appropriate security patches are installed on the systems in a timely manner, and information systems are kept up-to-date.
  19. Strong passwords are used in COMPANY systems.
  20. Data masking measures are applied when necessary.
  21. Up-to-date anti-virus systems are used on all servers and clients.
  22. Firewalls are used and managed.
  23. The scope and duration of authorization of users who have access authorization to the data are determined.
  24. Access authorizations to systems are reviewed periodically.
  25. Data backup programs that ensure the secure storage of personal data are used.
  26. VPN and logging measures are applied during the access of third parties to the Company network and the sharing of personal data with third parties.
  27. Electronic environments where personal data, including special categories of personal data, are processed, stored, and/or accessed, are kept using strict access management, and all transaction records are logged.
  28. Adequate security measures are taken for physical environments where special categories of personal data are processed, stored, and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
  29. If special categories of personal data need to be transferred via e-mail, they are transferred only and only encrypted with a corporate e-mail address or by using a KEP (Registered Electronic Mail) account. If the transfer is performed between servers in different physical environments, data transfer is performed by establishing VPN – MPLS, etc. between the servers. If transfer via paper medium is required, necessary measures are taken against risks such as theft, loss, or unauthorized viewing of the document, and the document is sent in a "confidential" format.
  30. Consulting services are received from expert external sources regarding technical security.

MEASURES REGARDING PERSONAL DATA DISPOSAL

8.1 Disposal Processes

8.1.1 Deletion of Personal Data

Deletion of personal data refers to the process of making personal data completely inaccessible and unusable for the relevant users. The COMPANY creates an access authorization and control matrix at the user level for this purpose and implements it within the framework of a policy. It takes the necessary measures to perform the deletion process in the database.

8.1.2 Destruction of Personal Data

Destruction of personal data refers to the process of making personal data completely inaccessible, unrestorable, and unusable by anyone in any way.

8.1.3 Anonymization of Personal Data

Anonymization of personal data refers to the process of making personal data impossible to link with an identified or identifiable natural person, even by matching it with other data.

8.2 Disposal Techniques to be Used

The COMPANY will destroy personal data in accordance with the Guide on the Deletion, Destruction, and Anonymization of Personal Data published by the Authority. Some of the disposal techniques that the COMPANY will apply are given as examples below:

8.2.1 Deletion Techniques
  1. Deletion with Deletion Command: Deletion of personal data with the deletion command in the electronic data medium. The deleted data will become completely inaccessible and unusable.
  2. Deletion via Software: Deletion of personal data with appropriate software to ensure a secure deletion process.
8.2.2 Destruction Techniques
  1. Degaussing: The process of making the data on magnetic media unreadable by subjecting it to a very high magnetic field by passing it through a special device.
  2. Physical Destruction: The process of physically destroying optical media and magnetic media.
  3. Overwriting: The process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This process is carried out using special software.
8.2.3 Anonymization Techniques
  1. Masking: Methods such as obscuring, crossing out, starring, electronic removal, and similar methods for personal data. For example, A***** Y* instead of Ahmet Yıldırım, or the name can be starred.
  2. Generalization: The process of converting the relevant personal data from a specific value to a more general value.

REFERENCES AND BASIS

  1. Regulation on the Deletion, Destruction, and Anonymization of Personal Data

RELATED DOCUMENTS

  1. Personal Data Processing and Protection Policy
  2. Illumination Text Regarding Employees' Personal Data
  3. Personal Data Processing and Protection Policy for Employees


Elbette, sunduğunuz "KİŞİSEL VERİLERİ SAKLAMA VE İMHA POLİTİKASI" metninin formatını ve yapısını koruyarak İngilizce çevirisini aşağıda bulabilirsiniz.

PERSONAL DATA STORAGE AND DISPOSAL POLICY

PURPOSE

This Personal Data Storage and Disposal Policy (the “Policy”) has been prepared by ÇEVİKBAŞ AMBALAJ SANAYİ ANONİM ŞİRKETİ (the “COMPANY”) to determine the procedures and principles regarding the storage, and subsequent deletion, destruction, or anonymization of personal data processed and stored by the COMPANY.

SCOPE

This Policy covers our activities regarding the storage and disposal of personal data obtained from the following persons:

  1. The Company’s employees, employee candidates, interns, former employees, and their family members,
  2. Our group company’s employees, employee candidates, former employees, interns, and their family members,
  3. Representatives, proxies, and shareholders of our Company and group companies,
  4. Employee, representative, and proxy of our business partners,
  5. Our customers and potential customers,
  6. Employees of public/private institutions and organizations,
  7. Legally authorized persons,
  8. Our visitors,
  9. Other third parties.

Explanations regarding these person group definitions are provided in ANNEX-1.

This Policy will cover all personal data obtained via electronic, physical, and other media and stored in electronic, physical, or similar media.

AUTHORITIES AND RESPONSIBILITIES

AuthorityResponsibility
Information Technology ManagerAs the Policy Implementation Manager, ensuring and managing compliance with the personal data storage period and the coordination of the periodic disposal process.
Information Technology SpecialistsAs the Policy Implementation Officer, executing the disposal of personal data in the electronic environment.
General ManagerAs the Policy Implementation Officer, executing the disposal of personal data in the physical environment and responsible for the execution of this Policy in accordance with their duties.

DEFINITIONS AND ABBREVIATIONS

Term/AbbreviationDefinition
Personal DataAny information relating to an identified or identifiable natural person.1
Special Categories of Personal Data2Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or ot3her beliefs, dress code, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Data SubjectThe natural person whose personal data is processed.
Processing of Personal DataAny operation performed upon personal data, such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, takeover, making available, classification, or the prevention of use, wholly or partly by automatic means or non-automatically provided that it is a part of any data recording system.
Explicit ConsentConsent relating to a specific matter, based on information, and disclosed with free will.
AnonymizationRendering personal data impossible to link with an identified or identifiable natural person, even by matching it with other data.
DeletionThe process of making personal data inaccessible and unusable by the relevant users in any way.
DestructionMaking all physical recording media suitable for data storage, where information is stored, unrestorable and unusable.
DisposalThe process of deleting, destroying, or anonymizing personal data.
Periodic DisposalDeletion, destruction, or anonymization process carried out ex officio at recurring intervals specified in the personal data storage and disposal policy when all of the conditions for processing personal data in the Law cease to exist.
Recording MediumAny environment where personal data is located, which is processed wholly or partly by automatic means or non-automatically provided that it is a part of any data recording system.
Data Recording SystemThe recording system in which personal data is structured according to certain criteria and processed.
KVKKLaw on the Protection of Personal Data, No. 6698, published in the Official Gazette dated April 7, 2016, and numbered 29677.
RegulationRegulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated October 28, 2017, and numbered 30224.
BoardPersonal Data Protection Board.
AuthorityPersonal Data Protection Authority.
PolicyPersonal Data Storage and Disposal Policy.
General PolicyPersonal Data Protection and Processing Policy.
Data ControllerThe person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept.
Data ProcessorA natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Personal Data Processing InventoryThe inventory created and detailed by data controllers by associating the personal data processing activities they carry out based on their business processes with the purposes of personal data processing, data category, recipient group transferred to, and the data subject group.
Data Controllers Registry (VERBİS)The data controllers registry to be established by the Presidency of the Personal Data Protection Authority in accordance with the Regulation on the Data Controllers Registry.
Electronic MediumEnvironments where personal data can be created, read, modified, and written using electronic devices.
Non-Electronic MediumAll written, printed, visual, etc. media other than electronic media.

REASONS AND PERIODS REQUIRING PERSONAL DATA STORAGE AND DISPOSAL

As the COMPANY, we store the personal data we process while providing our services for legal and reasonable periods in accordance with the KVKK, the Regulation, and related legislation, and we destroy them after these periods expire.

5.1 Legal Reasons Requiring Personal Data Storage

Personal data processed within the scope of the COMPANY's activities are kept for the period stipulated in the relevant legislation. In this context, personal data is stored for the retention periods foreseen within the framework of, but not limited to, the following:

  1. Law on the Protection of Personal Data No. 6698,
  2. Turkish Code of Obligations No. 6098,
  3. Social Insurance and General Health Insurance Law No. 5510,
  4. Law on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications No. 5651,
  5. Occupational Health and Safety Law No. 6331,
  6. Labor Law No. 4857,
  7. Turkish Commercial Code No. 6102,
  8. Tax Procedure Law No. 213,
  9. Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
  10. Regulation on the Procedures and Principles of Occupational Health and Safety Trainings,
  11. Regulation on Providers of Mass Internet Service Use,
  12. Regulation on Commercial Electronic Messages and Commercial Communication,
  13. Other secondary regulations in force under these laws.

The COMPANY stores personal data if there are reasons requiring the processing and storage of personal data in line with the processing conditions set forth in Articles 5 and 6 of the KVKK. The storage activities carried out by the COMPANY in line with the processing conditions are explained with examples below.

Processing ConditionsExplanations
Obtaining explicit consent from the data subjectPersonal data is stored if the data subject gives their explicit consent for the storage activity requiring explicit consent.
Expressly stipulated in the lawsPersonal data for which the storage and/or storage period is expressly stipulated in the laws is stored. For example, the COMPANY is obliged to store the personal health files of employees for at least 15 years from the date of leaving the job, pursuant to Article 7 of the Regulation on Occupational Health and Safety Services.
Establishment or performance of a contractThe COMPANY stores personal data necessary to fulfill its obligations in the contract throughout the contractual relationship. For example, employees' personal data is stored within the scope of the employment contract.
Fulfillment of the COMPANY's legal obligationThe COMPANY stores personal data to fulfill its legal obligation in accordance with the legal legislation. For example, personal data is stored to meet the demands of official and administrative authorities and to enable these authorities to carry out their audits.
Establishment, exercise, or protection of a rightThe COMPANY stores the relevant personal data in order to establish and protect its right in case of future disputes or conflicts.
Public disclosure by the data subjectThe COMPANY stores personal data disclosed by the person for as long as the disclosure continues, provided it has a legitimate interest.
Having a legitimate interest of the CompanyThe COMPANY stores personal data in order to carry out its commercial activities and relationships, provided that it does not harm the fundamental rights and freedoms of the data subject.

Processing Purposes Requiring Storage

The COMPANY stores the personal data it processes within the scope of its activities for the following purposes:

  1. Carrying out human resources processes.
  2. Carrying out commercial activities.
  3. Carrying out marketing activities.
  4. Ensuring corporate communication.
  5. Ensuring corporate security.
  6. Carrying out finance and accounting operations.
  7. Fulfilling business and transactions as a result of signed contracts and protocols.
  8. Within the scope of VERBİS, determining the preferences and needs of employees, data controllers, contact persons, data controller representatives, and data processors, arranging the services provided accordingly, and updating them when necessary.
  9. Ensuring the fulfillment of legal obligations as required or necessitated by legal regulations.
  10. Providing contact with natural/legal persons in a business relationship with the COMPANY.
  11. Keeping evidence in case of future legal disputes.
  12. Carrying out data security activities.

Reasons Requiring Personal Data Disposal

The COMPANY will be obliged to delete, destroy, or anonymize personal data in the following cases. The COMPANY may carry out this disposal activity in the first periodic disposal process following the end of these periods.

In the following situations, the data is deleted, destroyed, or anonymized upon the request of the data subject, or deleted, destroyed, or anonymized ex officio by the COMPANY.

  1. The COMPANY does not have a legitimate purpose for processing personal data.
  2. The relevant legislation provisions constituting the basis for processing are changed or abolished.
  3. The purpose requiring processing or storage ceases to exist.
  4. In cases where personal data processing is based solely on the explicit consent condition, the data subject withdraws their explicit consent.
  5. The data subject's application for the deletion and destruction of their personal data within the framework of their rights pursuant to Article 11 of the Law is accepted by the Authority.
  6. If the COMPANY rejects the data subject's application for the deletion, destruction, or anonymization of their personal data, finds the answer inadequate, or does not respond within the period stipulated in the KVKK; the data subject files a complaint with the Board, and this request is found appropriate by the Board.
  7. The maximum period required for the storage of personal data has expired, and there is no condition justifying the storage of personal data for a longer period.

Storage and Disposal Periods

Within the scope of the conditions determined in this Section, the Storage and Disposal Periods Table (Annex-2), which includes personal data storage and disposal periods, has been created. The COMPANY will store and destroy personal data in accordance with these storage and disposal periods.

The COMPANY has determined the periodic disposal period as 6 (six) months. In this context, the COMPANY evaluates the stored personal data every 6 months and destroys the personal data whose specified storage period has expired. Data whose storage period expires after the end of this period will be destroyed in the next first periodic disposal period.

For example, the COMPANY may keep the records of an employee candidate who applied for a job on November 12, 2019, for 1 year, which it determines as a reasonable period. Upon the expiration of this period on November 12, 2020, the COMPANY is obliged to destroy this information in the first periodic disposal process it carries out. In this context, if the last periodic disposal process was carried out on October 10, 2020, this information will be destroyed no later than six months later, on April 10, 2021.

PERSONAL DATA STORAGE MEDIUM

6.1 Non-Electronic Medium

Personal data may be stored in a non-electronic medium as paper, form, document, contract, or any printed asset. The media where printed assets are stored are specified below:

  1. Locked cabinets in COMPANY offices,
  2. Boards in COMPANY offices and warehouses,
  3. Archive room in COMPANY offices,
  4. Drawers and folders in COMPANY offices.

In this context, all personal data that we obtain from the electronic medium but then print out or write on paper, form, or document and store are also considered to be stored in the physical medium.

6.2 Electronic Medium

Personal data may be stored in the following electronic medium:

  1. Desktop and laptop computers,
  2. Mobile devices,
  3. E-mail servers,
  4. Message boxes of social media accounts,
  5. Software and connected Databases (Backup Software, Active Directory, SAP, Hybris, Jira, Eba, QDMS, Netsis, MII, ERP, SQL DB),
  6. System rooms,
  7. Portable media (USB Flash Drive, CD and DVD, etc.),
  8. Disk drives used for data storage on the network.

In this context, all personal data that we obtain in the physical medium, verbally or as printed paper, form, or document, but then record in a completely or partially automatic system, are also considered to be stored in the electronic medium.

MEASURES REGARDING PERSONAL DATA STORAGE

The COMPANY is obliged to ensure the secure storage of personal data, prevent unlawful processing, and prevent unlawful access to personal data. The administrative and technical measures taken by the COMPANY within the framework of this obligation are listed below:

Administrative Measures

  1. The contracts signed include data security provisions.
  2. Extra security measures are taken for personal data transferred via paper, and the relevant documents are sent in a classified document format.
  3. Necessary training and awareness studies are conducted for employees on ensuring the security of personal data, preventing unlawful disclosure, and sharing.
  4. Confidentiality undertakings are obtained from employees regarding the activities carried out by the COMPANY, and confidentiality agreements regarding specific activities are signed.
  5. A disciplinary procedure is applied against employees who do not comply with the internal procedures/policies/instructions regarding personal data security.
  6. Before starting personal data processing, the COMPANY fulfills the obligation to inform the data subjects.
  7. A personal data processing inventory is prepared.
  8. Corporate policies on access, information security, use, storage, and disposal are prepared and implemented.
  9. Personal data security policies and procedures are determined. Compliance with personal data security policies and procedures is monitored.
  10. Internal periodic and/or random audits are carried out and commissioned.
  11. The technical measures taken are reported periodically due to the internal audit mechanism.
  12. The use of personal data is minimized as much as possible in line with business purposes.
  13. Contracts regarding the processing, protection, and security of personal data are signed with the people with whom personal data is shared, or provisions regarding this are added to the existing contract.
  14. Personal data processing activities carried out within the COMPANY are analyzed specifically for business units, and business units are ensured to process personal data only for the purpose of carrying out their activities.
  15. A separate policy has been determined for the security of special categories of personal data.
  16. Employees involved in special categories of personal data processing processes have been provided with training on special categories of personal data security, confidentiality agreements have been made, and the authorities of users with access authorization to the data have been defined.

Technical Measures

  1. Risks, threats, vulnerabilities, and potential gaps in information systems are revealed through periodic penetration tests, and necessary measures are taken.
  2. Information technology risks are managed with effective risk assessment and response processes.
  3. All technical issues are examined by competent personnel appointed/employed by the COMPANY and/or third parties.
  4. The access authorizations of employees whose duties change or who leave the job are immediately revoked.
  5. Access procedures are created within the Company, and reporting and analysis studies regarding access to personal data are carried out.
  6. Access to storage areas containing personal data is recorded, and inappropriate access or access attempts are kept under control.
  7. Protocols considered secure are used on information systems.
  8. Authorization matrices are created for employees' access to physical and electronic systems.
  9. The security of the media containing personal data is ensured. Necessary security measures are taken regarding entry and exit to physical environments containing personal data. The security of these physical environments against external risks (fire, flood, etc.) is ensured.
  10. The physical security of the areas where the systems where personal data is processed are located has been ensured and protected against risks such as unauthorized access, fire, flood, earthquake, moisture, etc.
  11. Network security and application security are ensured. Networks are separated into virtual networks according to their usage purposes.
  12. A closed system network is used for personal data transfers via the network.
  13. Wireless networks are encrypted, and unauthorized access is not allowed.
  14. Security measures are taken within the scope of information technology system supply, development, and maintenance. System acquisitions are provided with a security perspective in system development processes.
  15. The security of personal data stored in the cloud is ensured.
  16. Log records are kept in a way that prevents user intervention.
  17. A secure protocol (HTTPS) is used when accessing the COMPANY's website.
  18. Appropriate security patches are installed on the systems in a timely manner, and information systems are kept up-to-date.
  19. Strong passwords are used in COMPANY systems.
  20. Data masking measures are applied when necessary.
  21. Up-to-date anti-virus systems are used on all servers and clients.
  22. Firewalls are used and managed.
  23. The scope and duration of authorization of users who have access authorization to the data are determined.
  24. Access authorizations to systems are reviewed periodically.
  25. Data backup programs that ensure the secure storage of personal data are used.
  26. VPN and logging measures are applied during the access of third parties to the Company network and the sharing of personal data with third parties.
  27. Electronic environments where personal data, including special categories of personal data, are processed, stored, and/or accessed, are kept using strict access management, and all transaction records are logged.
  28. Adequate security measures are taken for physical environments where special categories of personal data are processed, stored, and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
  29. If special categories of personal data need to be transferred via e-mail, they are transferred only and only encrypted with a corporate e-mail address or by using a KEP (Registered Electronic Mail) account. If the transfer is performed between servers in different physical environments, data transfer is performed by establishing VPN – MPLS, etc. between the servers. If transfer via paper medium is required, necessary measures are taken against risks such as theft, loss, or unauthorized viewing of the document, and the document is sent in a "confidential" format.
  30. Consulting services are received from expert external sources regarding technical security.

MEASURES REGARDING PERSONAL DATA DISPOSAL

8.1 Disposal Processes

8.1.1 Deletion of Personal Data

Deletion of personal data refers to the process of making personal data completely inaccessible and unusable for the relevant users. The COMPANY creates an access authorization and control matrix at the user level for this purpose and implements it within the framework of a policy. It takes the necessary measures to perform the deletion process in the database.

8.1.2 Destruction of Personal Data

Destruction of personal data refers to the process of making personal data completely inaccessible, unrestorable, and unusable by anyone in any way.

8.1.3 Anonymization of Personal Data

Anonymization of personal data refers to the process of making personal data impossible to link with an identified or identifiable natural person, even by matching it with other data.

8.2 Disposal Techniques to be Used

The COMPANY will destroy personal data in accordance with the Guide on the Deletion, Destruction, and Anonymization of Personal Data published by the Authority. Some of the disposal techniques that the COMPANY will apply are given as examples below:

8.2.1 Deletion Techniques
  1. Deletion with Deletion Command: Deletion of personal data with the deletion command in the electronic data medium. The deleted data will become completely inaccessible and unusable.
  2. Deletion via Software: Deletion of personal data with appropriate software to ensure a secure deletion process.
8.2.2 Destruction Techniques
  1. Degaussing: The process of making the data on magnetic media unreadable by subjecting it to a very high magnetic field by passing it through a special device.
  2. Physical Destruction: The process of physically destroying optical media and magnetic media.
  3. Overwriting: The process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This process is carried out using special software.
8.2.3 Anonymization Techniques
  1. Masking: Methods such as obscuring, crossing out, starring, electronic removal, and similar methods for personal data. For example, A***** Y* instead of Ahmet Yıldırım, or the name can be starred.
  2. Generalization: The process of converting the relevant personal data from a specific value to a more general value.


REFERENCES AND BASIS

  1. Regulation on the Deletion, Destruction, and Anonymization of Personal Data


RELATED DOCUMENTS

  1. Personal Data Processing and Protection Policy
  2. Illumination Text Regarding Employees' Personal Data
  3. Personal Data Processing and Protection Policy for Employees


ANNEX-1 PERSON GROUPS

Person GroupsExplanations
CustomerPersons who currently receive products/services from the COMPANY or who have committed to receiving them.
Potential CustomerPersons who do not currently receive the relevant product/service from the COMPANY but are likely to receive it.
Company Representative or ProxyPersons who represent or act as proxy for the COMPANY (lawyers consulted by the COMPANY, board member authorized to represent and bind the COMPANY).
ShareholderNatural persons who are shareholders in the COMPANY.
SupplierEmployee, employee candidate, representative, or proxy of the companies from which the COMPANY receives services.
Business PartnerEmployee, employee candidate, representative, or proxy of the companies the COMPANY works with in its activities.
EmployeePersons employed by the COMPANY as an employer and who have an employment contract with the COMPANY.
Employee CandidateNatural persons who have applied for a job at the COMPANY by any means or who have made their resume and related information available for the COMPANY's review.
InternNatural persons who are doing their internship at the COMPANY.
VisitorPersons visiting the COMPANY campuses and websites.
Legally Authorized PersonPersons working in legally authorized public institutions and organizations or private individuals and organizations.
Third PartyOther natural persons not specified here (e.g., Guarantor, former employee, etc.)


ANNEX-2 STORAGE AND DISPOSAL PERIODS TABLE

The storage periods for the processes in the table below have been determined based on the legislation in force on the date this Policy came into effect. The said periods will be interrupted if a lawsuit is filed by the data subject, and the personal data subject to the lawsuit will be stored based on the legal reason for the protection of a right until the lawsuit is finalized.


Personal Data CategoryStorage PeriodDisposal Period
In contractual relationships (Turkish Code of Obligations general statute of limitations)10 years from the end of the commercial relationshipIn the first periodic process occurring every 6 months from the end of the period
Payment transactions in customer goods/services relationships10 years from the end of the business relationshipIn the first periodic process occurring every 6 months from the end of the period
Part of the contract process and preservation of the contract10 years from the end of the business relationshipIn the first periodic process occurring every 6 months from the end of the period
Job applications of employee candidates1 year from the date of job applicationIn the first periodic process occurring every 6 months from the end of the period
Planning of human resources processes10 years from the end of the business relationshipIn the first periodic process occurring every 6 months from the end of the period
Occupational health and safety activities10 years from the end of the business relationship, health files 15 years from the end of the business relationshipIn the first periodic process occurring every 6 months from the end of the period
Execution of employee leave and compensation processes10 years from the end of the business relationshipIn the first periodic process occurring every 6 months from the end of the period
Personal data regarding employees' wage rights5 YearsIn the first periodic process occurring every 6 months from the end of the period
Access / Log Records2 YearsIn the first periodic process occurring every 6 months from the end of the period
General Assembly Transactions10 YearsIn the first periodic process occurring every 6 months from the end of the period
Information belonging to company partners and board members10 YearsIn the first periodic process occurring every 6 months from the end of the period
Visitor records to system roomsDuring the contract periodIn the first periodic process occurring every 6 months from the end of the period
Employee, Company Representative or Proxy (General Assembly, Board of Directors resolution and commercial ledger record preparation process)10 years starting from the beginning of the year following the calendar year in which the documents were formed, made, or preparedIn the first periodic process occurring every 6 months from the end of the period
Camera Recordings20 DaysIn the first periodic process occurring every 6 months from the end of the period
Psychometric DataDuring the contract periodIn the first periodic process occurring every 6 months from the end of the period
Incident Detection Information10 years from the end of the business relationshipIn the first periodic process occurring every 6 months from the end of the period
Family Member Information10 years from the end of the business relationshipIn the first periodic process occurring every 6 months from the end of the period
Customer Request and Complaint Information10 years from the end of the business relationship


Footer Background

We promise: We will combine technology with respect for nature and carry your brand to the world in a sustainable way.

Footer Logo

CENTRAL

Büyükkayacık Mah. 3.Organize Sanayi Bölgesi Kuddusi Cad. No:38 Selçuklu/KONYA

KARATAY

Fevziçakmak Mah. Adana Çevre Yolu Cad. No: 44 Karatay / Konya

İSTANBUL

Eyüp Sultan Mahallesi Sandalcı Sokak No:6 Sancaktepe / İstanbul

+90 332 239 24 61 - 62 - 63 - 64 - 65 Pbx Fax: +90 332 342 20 67

cevikbas@cevikbas.com Yurtdışı: disticaret@cevikbas.com

We encapsulate trust in every layer. We encode precision in every print. From roll film, raw materials, and ink, we are essentially shaping the future for you.

Sustainable Production and Product Information

Product Categories

Explore All Products

Information & Resources

Support and Documentation

Would you like to see our facility in person?

Directions